Subject: [xsl] RE: Re: Saxon Servlet|
From: owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx (by way of B. Tommie Usdin)
Date: Fri, 2 Mar 2001 09:30:29 -0500
Date: Thu, 1 Mar 2001 21:38:33 -0800 (PST) From: Dimitre Novatchev <dnovatchev@xxxxxxxxx> Subject: RE: Re: Saxon Servlet To: mhkay@xxxxxxxxxxxx Cc: xsl-list@xxxxxxxxxxxxxxxxxxxxxx MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii
> I am having a very simple problem (even though I do not know > how to solve > it :)) with the SaxonServlet provided with the src code > samples. Basically, > I want to pass both my XML source and XSL source as URL's > which are located on a different machine.
There are security reasons why this isn't allowed, someone running a web site doesn't want users to be able to run an arbitrary stylesheet, possibly containing calls on extension functions, on that server.
In fact there's an implementation -- the Remote XML Workbench allows clients to post two string parameters, one -- the text of an xml document, the other -- the text of a stylesheet.
On the server the stylesheet is applied to the xml document and the result string is returned to the client.
It is true that there are serious security issues. They are dealt with by pre-scanning the provided stylesheet with a security checking stylesheet.
Since last August there hasn't been a single security violation. The only problem is that MSXML can crash under deep recursive processing -- I'm really impatient to have this finally fixed in MSXML.
__________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/